Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-users: Re: [Wireshark-users] filter to capture ospf pacets?

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: "Small, James" <JSmall@xxxxxxxxxxxxxx>
Date: Thu, 2 Nov 2006 15:26:02 -0500

Stan,

I believe you have it, but just to re-iterate:
The most common capture is usually TCP/IP over Ethernet.

So if we look at a capture of TCP/IP traffic over Ethernet, a typical
Frame looks like this:
Ethernet Frame which "carries" a Network Protocol (such as IP)
IP Datagram which "carries" a Transport Protocol (such as UDP or TCP or
OSPF)
UDP Datagram or TCP Segment which "carries" a Service/Application (a
Port)
Service/Application Data or Possibly Additional Layers (e.g. Http, XML,
etc...)

So when we're talking about a "protocol" in this case, we're talking
about the Transport Protocol that IP is "carrying"

So for OSPF, it's protocol 89 or 0x59 in Hexadecimal (as displayed by
Wireshark)

This is important to understand - I often find that there is some
confusion in the difference between a Transport Protocol or Layer 4
Protocol and a Port/Service/Application which typically uses UDP or TCP.

/etc/protocols in UNIX/Linux or %windir%\system32\drivers\etc\protocol
in Windows NT+ or IANA (best source) has the list of protocols that IP
can "carry" which range from 0-255.

/etc/services (Windows dir, IANA too) has the list of ports (0-65535)
for TCP and UDP and what the assigned service/application/daemon is.

Popular protocols:
1 - ICMP
6 - TCP
17 - UDP
47 - GRE
50 - ESP (IPSec)
51 - AH (IPSec)
88 - EIGRP
89 - OSPF

Some Popular Services which ride on UDP/TCP:
TCP/21 - FTP
TCP/22 - SSH
TCP/25 - SMTP
TCP/80 - HTTP

UDP/53 - DNS
UDP/67 - DHCP/BOOTP Server
UDP/69 - TFTP
UDP/161 - SNMP

I hope this helps and please let me know if it's not clear,
  --Jim

-----Original Message-----
On Thu, Nov 02, 2006 at 05:50:23PM +0000, LEGO wrote:
> cat /etc/protos
> 
> 
Ah, /etc/services brother. Thanks, I did not even know that was there.

-- 
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
  • Prev by Date: Re: [Wireshark-users] filter to capture ospf pacets?
  • Next by Date: [Wireshark-users] multiple giop in one packet display last request_op in Info field...any way to change this?
  • Previous by thread: Re: [Wireshark-users] filter to capture ospf pacets?
  • Next by thread: Re: [Wireshark-users] TCP Decoding differences between Ethereal0.99and Wireshark 0.99.3/4?
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation